It has been discovered that identifying files introduced into a system, particularly those originating from external sources, as being subject to security evaluation and deferring the security evaluation until access or attempted access of the file reduces security vulnerabilities of a system. A file introduced into a processing system is tagged with a security tag if the file is introduced via a supervised introduction point and/or introduced by a supervised program. Upon access or attempted access of the tagged file, security evaluation is initiated on the file.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of managing files received by a processing system from a source external to the processing system, the method comprising the acts of: introducing a file into the processing system for retention in a memory space of the processing system; under control of the operating system of the processing system, tagging the file with a machine readable security tag; and upon an activation event for the tagged file in the processing system, implementing the processing system to detect the machine readable security tag and to initiate a security evaluation of the file; wherein the introduction of the file is initiated in a user space of the operating system of the processing system.
2. The method of claim 1 further comprising the acts of: determining that an introduction point to the processing system is one of a set of introduction points to the processing system previously identified as subject to security supervision; and determining that the file is received via the introduction point; and wherein said act of tagging is in accordance with said act of determining that the file is received via the introduction point.
3. The method of claim 2 further comprising the act of identifying the set of introduction points.
4. The method of claim 1 further comprising the acts of: identifying a set of applications as subject to security supervision; and determining that a first application of the set of applications receives the file, wherein said act of tagging is contingent on determining that the first application is one of the identified set of applications.
5. The method of claim 1 further comprising the act of determining that the file is associated with the security tag prior to initiating the security analysis.
6. The method of claim 1 , wherein the security analysis comprises at least one of a set of acts consisting essentially of analyzing a file type of the file, analyzing content of the file, and determining source of the file.
7. The method of claim 1 , wherein said act of tagging comprises at least one of a set of acts consisting essentially of marking the file, installing executable code in the file that implements said act of initiating, and setting a value in the file.
8. The method of claim 1 further comprising the act of recording additional information about the file coincident with said act of tagging the file, wherein the additional information is selected from a group consisting essentially of one or more of, the network address of a source of the file, the creation date of the file, the server name of the source of the file, the date the file was last modified, the author of the file, and the source context for the file, wherein the source context information allows determination of a conveyor of the file.
9. A method of operating a processing system to provide a measure of security as to files received from sources external to the processing system, the method comprising the acts of: coincident with introduction of a file into the processing system for retention in a memory space therein, under control of an operating system of the processing system indicating that the file is subject to an access-based security evaluation by tagging the file with a machine readable security tag; receiving a command in the processing system to access the file with said machine readable security tag retained therein; and initiating the access-based security evaluation for the file coincident with and in response to access of the file at the processing system; wherein the introduction of the file is initiated in a user space of the operating system of the processing system.
10. The method of claim 9 , wherein the security measure comprises at least one act selected from a set consisting essentially of generating a notification, quarantining the file, denying access to the file, and preventing activation of the file.
11. The method of claim 9 , wherein said access of the file comprises one of a set consisting essentially of an open event, an execute event, a link event, and a transmit event.
12. The method of claim 9 further comprising the acts of: determining whether an application that introduces the file is indicated as subject to security supervision, wherein said act of indicating is in accordance with said act of determining.
13. The method of claim 12 , wherein the application is selected from a set consisting essentially of an e-mail client, a browser, a virtual machine, and a file transfer protocol application.
14. The method of claim 9 further comprising the acts of: determining that the file contains at least a second file; and indicating that the second file is subject to access-based security evaluation.
15. The method of claim 14 , wherein said act of indicating is performed upon attempted access of the second file, wherein the attempted access is selected from a set consisting essentially of moving the second file, copying the second file, discovering the second file, and identifying the second file.
16. A method of securing a processing system comprising the acts of: through use of a processor, under control of an operating system of the processing system, detecting a request for memory space in the processing system for a file from an application; coincident with said act of detecting, under control of the operating system of the processing system, using a processor to establish a machine readable indication that activation of the file is contingent on a security analysis of the file by taming the file with a machine readable security tag; and upon receiving an activation event the processing system for the file with said machine readable security tag, using a processor to initiate the security analysis of the file coincident with the attempted activation of the file; wherein the request for memory space is initiated in a user space of the operating system of the processing system.
17. The method of claim 16 further comprising the act of recording information for the file including at least one of a set of information items consisting essentially of the file source, the introduction time, the source of the application, the privilege level of the application, and the source context, wherein the source context information for the file indicates an object instance of the application that conveys the file.
18. The method of claim 17 further comprising the act of bypassing the act of indicating if the file is written to a pre-defined security bypass location.
19. The method of claim 16 further comprising the act of identifying the application as subject to security supervision.
20. A machine-readable storage device comprising a computing machine program product in the form of a plurality of instructions encoded in the machine-readable storage device, the instructions comprising: operating system instructions executable to provide an operating system for a processing system, the operating system instructions comprising kernel level operations for such a processing system, the operating system instructions further comprising, a first sequence of instructions executable to set a security indication that indicates activation of a file introduced from an external source is subject to security analysis by tagging the file with a machine readable security tag; and a second sequence of instructions executable to initiate security evaluation of a file coincident with attempted access of the file if the file to be accessed is tagged with a machine readable security tag; wherein the introduction of the file is initiated in a user space of the operating system of the processing system.
21. The machine-readable storage device of claim 20 , wherein the instructions further comprise: a third sequence of instructions executable to identify a set of applications subject to security supervision, wherein the first sequence of instructions are further executable to set the security indication if an application that introduces the file is determined to be within the set of applications.
22. The machine-readable storage device of claim 20 , wherein the instructions further comprise a third sequence of instructions executable to identify a set of one or more introduction points into a processing system that are subject to security supervision, wherein the first sequence of instructions are further executable to set the security indication if the file is introduced into the processing system via one of the set of identified introduction points.
23. The machine-readable storage device of claim 20 , wherein the instructions further comprise a third sequence of instructions executable to determine whether the file is written to a pre-defined safe location configured as a bypass of the security analysis and executable to bypass execution of the first sequence of instructions if so determined.
24. The machine-readable storage device of claim 20 , wherein the first sequence of instructions is further executable to indicate that one or more files embedded within a file are subject to the security measure if the file has been indicated as subject to the security analysis.
25. The machine-readable storage device of claim 20 , wherein the instructions further comprise a third sequence of instructions executable to set a security indication for an embedded file coincident with an operation selected from a set of operations consisting essentially of copying, moving, extracting, displaying, and identifying the one or more embedded files.
26. A machine-readable storage device having instructions encoded therein, which when implemented by a machine, cause operations to be performed which comprise: a first plurality of predetermined operations of at least one application, which when executed provide a set of predetermined functionality of the machine to a user; and operating system functionality of an operating system including kernel level system operations, the operating system functionality further comprising the operations of, monitoring files of at least one application that receives files from a source external to the machine; associating a security indicator with a file received by the at least one application from a source external to the machine by tagging the file with a machine readable security tag; coincident with an operation to access a file with a machine readable security tag, evaluating the file for a possible security threat; wherein the introduction of the file is initiated in a user space of the operating system.
27. The machine-readable storage device of claim 26 , wherein the predetermined functionality provided by the first plurality of predetermined operations is at least one of a set consisting essentially of file management functionality, machine resource management functionality, communication functionality, and machine resource interface functionality.
28. The machine-readable storage device of claim 26 , wherein the second plurality of operations further comprise: propagating a security indicator associated with a file having an associated security indicator to one or more files embedded within the file.
29. The machine-readable storage device of claim 26 further comprising a third plurality of comprising recording information about the received file, the information selected from a group consisting essentially of one or more of, the network address of a source of the file, the server name of the source of the file, date information for the file, author information for the file, and source context information for the file, wherein the source context information for the file indicates an object instance of the application that conveys the file.
30. An apparatus comprising: a set of one or more processors operable to execute a set of one or more applications that introduce files into the apparatus, and to execute instructions of an operating system of the apparatus; means for causing the operating system to set a security indication for a file introduced by a first application of the set of applications if the first application is indicated in a set of one or more applications previously identified as subject to security supervision by tagging the file with a machine readable security tag; and means for causing the operating system to initiate the security evaluation coincident with attempted access of a file if the file to be accessed is tagged with a machine readable security tag; wherein the introduction of the file is initiated in a user space of the operating system of the apparatus.
31. A method of operating a processing system to provide a measure of security as to files received from sources external to the processing system, the method comprising the acts of: coincident with introduction of a file into the processing system for retention in a memory space therein, under control of an operating system of the processing system indicating that the file is subject to an access-based security evaluation by tagging the file with a machine readable security tag; receiving a command in the processing system to access the file retained therein; and initiating the access-based security evaluation for the file coincident with and in response to access of the file at the processing system with said machine readable security tag; wherein the operating system interfaces with the hardware of the processing system.
32. An apparatus comprising: a set of one or more processors operable to execute a set of one or more applications that introduce files into the apparatus, and to execute instructions of an operating system of the apparatus; means for causing the operating system to set a security indication for a file introduced by a first application of the set of applications if the first application is indicated in a set of one or more applications previously identified as subject to security supervision by tagging the file with a machine readable security tag; and means for causing the operating system to initiate the security evaluation coincident with attempted access of a file if the file to be accessed is tagged with a machine readable security tag; wherein the operating system interfaces with the hardware of the apparatus.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
February 7, 2007
May 15, 2012
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.